From: michaelpenne Date: Thu, 27 Jan 2005 21:36:12 +0000 (+0000) Subject: variable cleaning and sesskey updates X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=f862f00d54157cebe170271351242b10372838ac;p=moodle.git variable cleaning and sesskey updates --- diff --git a/mod/lesson/import.php b/mod/lesson/import.php index 5d2ab45b9a..4fa31e53e5 100644 --- a/mod/lesson/import.php +++ b/mod/lesson/import.php @@ -4,8 +4,9 @@ require_once("../../config.php"); require_once("locallib.php"); - optional_variable($format); - require_variable($id); // Course Module ID + $format = optional_param('format'); + $id = required_param('id', PARAM_INT); // Course Module ID + $pageid = required_param('pageid', PARAM_INT); if (! $cm = get_record("course_modules", "id", $id)) { error("Course Module ID was incorrect"); @@ -33,8 +34,8 @@ "wwwroot/course/view.php?id=$course->id\">$course->shortname -> ". "id>$strlessons -> id\">$lesson->name-> $strimportquestions"); - if ($form = data_submitted()) { /// Filename - + if ($form = lesson_clean_data_submitted()) { /// Filename + confirm_sesskey(); $form->format = clean_filename($form->format); // For safety if (isset($form->filename)) { // file already on server @@ -78,7 +79,7 @@ error("Error occurred during pre-processing!"); } - if (! $format->importprocess($newfile['tmp_name'], $lesson, $_POST['pageid'])) { // Process the uploaded file + if (! $format->importprocess($newfile['tmp_name'], $lesson, $pageid)) { // Process the uploaded file error("Error occurred during processing!"); } @@ -112,7 +113,8 @@ print_simple_box_start("center", "", "$THEME->cellheading"); echo "
"; echo "id\">\n"; - echo "\n"; + echo "\n"; + echo "sesskey."\">\n"; echo ""; echo "
"; diff --git a/mod/lesson/lesson.php b/mod/lesson/lesson.php index 7d693fea0a..0241fe0520 100644 --- a/mod/lesson/lesson.php +++ b/mod/lesson/lesson.php @@ -102,6 +102,7 @@ +
@@ -156,6 +157,8 @@ error("Only teachers can look at this page"); } + confirm_sesskey(); + // first get the preceeding page $pageid = required_param('pageid', PARAM_INT); @@ -218,6 +221,8 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); } + + confirm_sesskey(); // first get the preceeding page // if $pageid = 0, then we are inserting a new page at the beginning of the lesson @@ -285,6 +290,8 @@ error("Only teachers can look at this page"); } + confirm_sesskey(); + // first get the preceeding page $pageid = required_param('pageid', PARAM_INT); @@ -379,17 +386,19 @@ +
"; echo get_string("questiontype", "lesson").": \n"; echo helpbutton("questiontype", get_string("questiontype", "lesson"), "lesson")."
"; if (isset($_GET['qtype'])) { - lesson_qtype_menu($LESSON_QUESTION_TYPE, $_GET['qtype'], + $qtype = clean_param($_GET['qtype'], PARAM_INT); + lesson_qtype_menu($LESSON_QUESTION_TYPE, $qtype, "lesson.php?id=$cm->id&action=addpage&pageid=".$pageid.$linkadd); // NoticeFix rearraged - if ( $_GET['qtype'] == LESSON_SHORTANSWER || $_GET['qtype'] == LESSON_MULTICHOICE || !isset($_GET['qtype']) ) { // only display this option for Multichoice and shortanswer - if ($_GET['qtype'] == LESSON_SHORTANSWER) { + if ( $qtype == LESSON_SHORTANSWER || $qtype == LESSON_MULTICHOICE ) { // only display this option for Multichoice and shortanswer + if ($qtype == LESSON_SHORTANSWER) { echo "

".get_string("casesensitive", "lesson").": \n"; } else { echo "

".get_string("multianswer", "lesson").": \n"; @@ -576,6 +585,8 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); } + + confirm_sesskey(); $pageid = required_param('pageid', PARAM_INT); if (!$thispage = get_record("lesson_pages", "id", $pageid)) { @@ -594,13 +605,16 @@ } } notice_yesno(get_string("confirmdeletionofthispage","lesson"), - "lesson.php?action=delete&id=$cm->id&pageid=$pageid", + "lesson.php?action=delete&id=$cm->id&pageid=$pageid&sesskey=".$USER->sesskey, "view.php?id=$cm->id"); } /****************** continue ************************************/ elseif ($action == 'continue' ) { + + confirm_sesskey(); + //CDC Chris Berri added this echo call for left menu. must match that in view.php for styles if ($lesson->displayleft) { echo '
'; @@ -1420,6 +1434,8 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); } + + confirm_sesskey(); if (empty($_GET['pageid'])) { error("Delete: pageid missing"); @@ -1532,6 +1548,7 @@ +
custom) { - echo get_string("score", "lesson")." $iplus1: "; + echo get_string("score", "lesson")." $iplus1: "; } echo "\n"; break; @@ -1955,6 +1972,8 @@ error("Only teachers can look at this page"); } + confirm_sesskey(); + $timenow = time(); $form = lesson_clean_data_submitted(); @@ -2153,7 +2172,7 @@ } echo "
\n"; - echo "\n"; while (true) { if ($page->id != $pageid) { @@ -2161,7 +2180,7 @@ $title = "<< ".get_string("notitle", "lesson")." >>"; } echo "\n"; - echo "\n"; } if ($page->nextpageid) { @@ -2184,6 +2203,8 @@ error("Only teachers can look at this page"); } + confirm_sesskey(); + $pageid = required_param('pageid', PARAM_INT); // page to move if (!$page = get_record("lesson_pages", "id", $pageid)) { error("Moveit: page not found"); @@ -2285,6 +2306,8 @@ error("Only teachers can look at this page"); } + confirm_sesskey(); + $timenow = time(); $form = lesson_clean_data_submitted(); diff --git a/mod/lesson/view.php b/mod/lesson/view.php index 827a4c7a32..6d871d2764 100644 --- a/mod/lesson/view.php +++ b/mod/lesson/view.php @@ -7,8 +7,8 @@ require_once('locallib.php'); require_once('lib.php'); - require_variable($id); // Course Module ID - optional_variable($pageid); // Lesson Page ID + $id = required_param('id', PARAM_INT); // Course Module ID + $pageid = optional_param('pageid', NULL, PARAM_INT); // Lesson Page ID if (! $cm = get_record('course_modules', 'id', $id)) { error('Course Module ID was incorrect'); @@ -74,7 +74,7 @@ if (isteacheredit($course->id)) { $button = '
id&action=moveit&pageid=$pageid&after=0\">". + echo "
id&sesskey=".$USER->sesskey."&action=moveit&pageid=$pageid&after=0\">". get_string("movepagehere", "lesson")."
cellheading2\">$title
id&action=moveit&pageid=$pageid&after={$page->id}\">". + echo "
id&sesskey=".$USER->sesskey."&action=moveit&pageid=$pageid&after={$page->id}\">". get_string("movepagehere", "lesson")."
'; $button .= ''. - ''. + ''. ''. ''. ''; @@ -136,7 +136,7 @@ if ($lesson->usepassword && !isteacher($course->id)) { $correctpass = false; if (isset($_POST['userpassword'])) { - if ($lesson->password == md5(trim($_POST['userpassword']))) { + if ($lesson->password == md5(trim(clean_param($_POST['userpassword'], PARAM_CLEAN)))) { $USER->lessonloggedin[$lesson->id] = true; $correctpass = true; } @@ -588,6 +588,7 @@ echo "id\" />"; echo ""; echo ""; + echo "sesskey."\" />"; /// CDC-FLAG /// if (!$lesson->slideshow || $page->qtype != 20) { print_simple_box_start("center"); @@ -1249,13 +1250,14 @@ echo ""; } else { if(isset($_GET['display']) && !isset($_GET['viewAll'])) { + $display = clean_param($_GET['display'], PARAM_INT); while(true) { - if($page->id == $_GET['display'] && $page->qtype == LESSON_BRANCHTABLE) { + if($page->id == $display && $page->qtype == LESSON_BRANCHTABLE) { $branch = true; $singlePage = false; break; - } elseif($page->id == $_GET['display']) { + } elseif($page->id == $display) { $branch = false; $singlePage = true; break; @@ -1267,17 +1269,17 @@ // last page reached break; } - } + } echo "
".get_string("viewallpages", "lesson")."
\n"; echo "".get_string("backtreeview", "lesson")."
\n"; echo "\n"; if (isteacheredit($course->id)) { /// CDC-FLAG 6/16/04 /// - echo "
id&pageid=$page->prevpageid\">". + echo "
id&pageid=$page->prevpageid\">". get_string("importquestions", "lesson")." | ". - "id&action=addcluster&pageid=$page->prevpageid\">". + "id&sesskey=".$USER->sesskey."&action=addcluster&pageid=$page->prevpageid\">". get_string("addcluster", "lesson")." | ". - "id&action=addendofcluster&pageid=$page->prevpageid\">". + "id&sesskey=".$USER->sesskey."&action=addendofcluster&pageid=$page->prevpageid\">". get_string("addendofcluster", "lesson")." | ". "id&action=addbranchtable&pageid=$page->prevpageid\">". get_string("addabranchtable", "lesson")." | ". @@ -1290,12 +1292,12 @@ if($lesson->tree) { echo "
".get_string("backtreeview", "lesson")."
\n"; } - echo "
\n"; + echo "
\n"; if (isteacheredit($course->id)) { /// CDC-FLAG 6/16/04 /// echo "
id&pageid=0\">". get_string("importquestions", "lesson")." | ". - "id&action=addcluster&pageid=0\">". + "id&sesskey=".$USER->sesskey."&action=addcluster&pageid=0\">". get_string("addcluster", "lesson")." | ". "id&action=addbranchtable&pageid=0\">". get_string("addabranchtable", "lesson")." | ". @@ -1306,8 +1308,8 @@ } } /// CDC-FLAG /// end tree code (note, there is an "}" below for an else above) - echo "
\n"; while (true) { + echo "
\n"; echo "\n"; @@ -1387,7 +1389,7 @@ echo "\n"; - echo "\n"; @@ -1512,9 +1514,9 @@ /// CDC-FLAG /// 6/16/04 echo "
cellheading2\" colspan=\"2\">$page->title  \n"; if (isteacheredit($course->id)) { if ($npages > 1) { @@ -1316,7 +1318,7 @@ } echo "id&action=editpage&pageid=$page->id\">\n". "\"edit\"\n". - "id&action=confirmdelete&pageid=$page->id\">\n". + "id&sesskey=".$USER->sesskey."&action=confirmdelete&pageid=$page->id\">\n". "\"delete\"\n"; } echo "
\n"; echo format_text($answer->answer); echo "
".get_string("response", "lesson")." $i: \n"; + echo "
".get_string("response", "lesson")." $i: \n"; echo "\n"; echo format_text($answer->response); echo "
id&pageid=$page->id\">". get_string("importquestions", "lesson")." | ". - "id&action=addcluster&pageid=$page->id\">". + "id&sesskey=".$USER->sesskey."&action=addcluster&pageid=$page->id\">". get_string("addcluster", "lesson")." | ". - "id&action=addendofcluster&pageid=$page->id\">". + "id&sesskey=".$USER->sesskey."&action=addendofcluster&pageid=$page->id\">". get_string("addendofcluster", "lesson")." | ". "id&action=addbranchtable&pageid=$page->id\">". get_string("addabranchtable", "lesson")."
"; @@ -1525,7 +1527,7 @@ $nextqtype = get_field("lesson_pages", "qtype", "id", $page->nextpageid); } if (($page->qtype != LESSON_ENDOFBRANCH) and ($nextqtype != LESSON_ENDOFBRANCH)) { - echo "id&action=addendofbranch&pageid=$page->id\">". + echo "id&sesskey=".$USER->sesskey."&action=addendofbranch&pageid=$page->id\">". get_string("addanendofbranch", "lesson")." | "; } echo "id&action=addpage&pageid=$page->id\">". @@ -1648,12 +1650,12 @@ } } // email link for this user - $emaillink = "id&action=emailessay&userid=".$id."\">".get_string("emailgradedessays", "lesson").""; + $emaillink = "id&action=emailessay&userid=".$id."&sesskey=".$USER->sesskey."\">".get_string("emailgradedessays", "lesson").""; $table->data[] = array($studentname, implode(", ", $essaylinks), $emaillink); } // email link for all users - $emailalllink = "id&action=emailessay\">".get_string("emailallgradedessays", "lesson").""; + $emailalllink = "id&action=emailessay&sesskey=".$USER->sesskey."\">".get_string("emailallgradedessays", "lesson").""; $table->data[] = array(" ", " ", $emailalllink); @@ -1664,7 +1666,7 @@ elseif ($action == 'essaygrade') { print_heading_with_help($lesson->name, "overview", "lesson"); - require_variable($attemptid); + $attemptid = require_variable('attemptid'); if (!$essay = get_record("lesson_attempts", "id", $attemptid)) { error("Error: could not find essay"); @@ -1684,6 +1686,7 @@ echo "id\" />\n"; echo "\n"; echo "\n"; + echo "sesskey."\" />\n"; // all tables will have these $table->align = array("left"); @@ -1739,7 +1742,9 @@ elseif ($action == 'updategrade') { print_heading_with_help($lesson->name, "overview", "lesson"); - $form = data_submitted(); + confirm_sesskey(); + + $form = lesson_clean_data_submitted(); if (!$essay = get_record("lesson_attempts", "id", $form->attemptid)) { error("Error: could not find essay"); @@ -1781,9 +1786,12 @@ elseif ($action == 'emailessay') { print_heading_with_help($lesson->name, "overview", "lesson"); - if (isset($_GET['userid'])) { - $queryadd = " AND userid = ".$_GET['userid']; - if (! $users = get_records("user", "id", $_GET['userid'])) { + confirm_sesskey(); + + if (isset($_GET['userid'])) { + $userid = clean_param($_GET['userid'], PARAM_INT); + $queryadd = " AND userid = ".$userid; + if (! $users = get_records("user", "id", $userid)) { error("Error: could not find users"); } } else { @@ -1905,6 +1913,8 @@ /*******************update high scores **************************************/ elseif ($action == 'updatehighscores') { print_heading_with_help($lesson->name, "overview", "lesson"); + + confirm_sesskey(); if (!$grades = get_records_select("lesson_grades", "lessonid = $lesson->id", "completed")) { error("Error: could not find grades"); @@ -1969,7 +1979,7 @@ $newhighscore->userid = $USER->id; $newhighscore->gradeid = $newgrade->id; if (isset($_GET['name'])) { - $newhighscore->nickname = $_GET['name']; + $newhighscore->nickname = clean_param($_GET['name'], PARAM_CLEAN); } if (!insert_record("lesson_high_scores", $newhighscore)) { error("Insert of new high score Failed!"); @@ -1983,8 +1993,9 @@ print_heading_with_help($lesson->name, "overview", "lesson"); echo "
"; if (isset($_POST['name'])) { - if (lesson_check_nickname(trim($_POST['name']))) { - redirect("view.php?id=$cm->id&action=updatehighscores&name=".trim($_POST['name']), get_string("nameapproved", "lesson")); + $name = trim(param_clean($_POST['name'], PARAM_CLEAN)); + if (lesson_check_nickname($name)) { + redirect("view.php?id=$cm->id&action=updatehighscores&name=$name&sesskey=".$USER->sesskey, get_string("nameapproved", "lesson")); } else { echo get_string("namereject", "lesson")."

"; }